---
title: "2019-03-01 服务器POST请求异常"
date: 2019-03-01
categories:
- journal
tags:
---

<div id="content">
<p>
:tcpdump:slow-read-attack:
</p>
<p>
今天测试反映了一个问题，CentOS上运行的测试版程序POST请求的问题，但是部署在Windows上的程序没有问题。
</p>
<pre class="example">
test-1@test-1-saixincompany:~$ sudo tcpdump  -i 1 "host 172.16.0.81"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:55:17.400049 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [S], seq 1856969590, win 29200, options [mss 1460,sackOK,TS val 1995352635 ecr 0,nop,wscale 7], length 0
14:55:17.418285 IP 172.16.0.81.mmcc &gt; test-1-saixincompany.49918: Flags [S.], seq 1249461465, ack 1856969591, win 28960, options [mss 1400,sackOK,TS val 709273276 ecr 1995352635,nop,wscale 7], length 0
14:55:17.418316 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], ack 1, win 229, options [nop,nop,TS val 1995352654 ecr 709273276], length 0
14:55:17.418454 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995352654 ecr 709273276], length 1388
14:55:17.418464 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1389:2777, ack 1, win 229, options [nop,nop,TS val 1995352654 ecr 709273276], length 1388
14:55:17.418555 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [P.], seq 2777:3535, ack 1, win 229, options [nop,nop,TS val 1995352654 ecr 709273276], length 758
14:55:17.437153 IP 172.16.0.81.mmcc &gt; test-1-saixincompany.49918: Flags [.], ack 1, win 239, options [nop,nop,TS val 709273295 ecr 1995352654,nop,nop,sack 1 {2777:3535}], length 0
14:55:17.457211 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995352692 ecr 709273295], length 1388
14:55:17.681188 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995352916 ecr 709273295], length 1388
14:55:18.145189 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995353380 ecr 709273295], length 1388
14:55:19.041192 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995354276 ecr 709273295], length 1388
14:55:20.833191 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995356068 ecr 709273295], length 1388
14:55:24.609211 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995359844 ecr 709273295], length 1388
14:55:31.777217 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995367012 ecr 709273295], length 1388
14:55:46.113193 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995381348 ecr 709273295], length 1388
14:56:15.297193 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [.], seq 1:1389, ack 1, win 229, options [nop,nop,TS val 1995410532 ecr 709273295], length 1388
14:56:17.438019 IP 172.16.0.81.mmcc &gt; test-1-saixincompany.49918: Flags [F.], seq 1, ack 1, win 239, options [nop,nop,TS val 709333298 ecr 1995352654,nop,nop,sack 1 {2777:3535}], length 0
14:56:17.438452 IP test-1-saixincompany.49918 &gt; 172.16.0.81.mmcc: Flags [F.], seq 3535, ack 2, win 229, options [nop,nop,TS val 1995412674 ecr 709333298], length 0
14:56:17.456581 IP 172.16.0.81.mmcc &gt; test-1-saixincompany.49918: Flags [R], seq 1249461467, win 0, length 0
</pre>
<p>
初步怀疑是slow read attack保护机制
</p>
<p>
<a href="https://serverfault.com/questions/645025/tcp-dump-cannot-understand-these-4-lines">https://serverfault.com/questions/645025/tcp-dump-cannot-understand-these-4-lines</a>
<a href="https://serverfault.com/questions/775837/how-to-set-the-maximum-tcp-receive-window-size-in-linux">https://serverfault.com/questions/775837/how-to-set-the-maximum-tcp-receive-window-size-in-linux</a>
<a href="https://blog.qualys.com/securitylabs/2012/01/05/slow-read">https://blog.qualys.com/securitylabs/2012/01/05/slow-read</a>
<a href="https://blog.csdn.net/abccheng/article/details/50402279">https://blog.csdn.net/abccheng/article/details/50402279</a>
</p>
</div>
<div class="status" id="postamble">
<p class="date">Date: 2019-03-01</p>
<p class="author">Author: gdme1320</p>
<p class="validation"><a href="http://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
